On 6/7/06, Michel Lemay <[EMAIL PROTECTED]> wrote:
Would it be possible to use a similar technique to generate an URL with query parameters containing user keystrokes? This URL could then be submitted to any compromised website. The attacker could then look into logs and have a peek at theses submitted requests.
Yes, people have prototyped javascript key loggers. http://www.whitehatsec.com/presentations/phishing_superbait.pdf The whole presentation is pretty good, but the specific example relevant to your question starts around page 28. I don't know of any attacks like this seen in the wild so far. The presentation suggests that once two-factor auth becomes common this is where attackers will go next. That makes sense to me. - Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
